If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Cisco Router Enumeration

One of the corner stones of being a hacker, is being as versatile as possible and being able to navigate through a number of software packages. But first and foremost, one of the most important skills a hacker/IT professional etc can have, is the art of enumeration. This tutorial will concern enumeration of Cisco routers.

**disclaimer: In general, enumeration is non-malicious but do so at your own risk, and if its a router all remote IP connections are probably recorded on the router and off the router.

Lets say you find some random router and you telnet into it, and its not password protected or by some random *cough* password cracking *cough* you find yourself at a prompt. The Cisco IOS has two security levels, one's privileged and the other is not thus you have one of the two prompts below:

router>
router#

Where router is the name of the router. This tutorial will be only covering information that's of use at the unprivileged level. Unprivileged access can't change any router configuration, or view specific information, but has access to the majority of all the show commands, commands that are the most useful for enumeration.

The Cisco IOS has a healthy help function, if ever in doubt (and you have the time) gratuitous use of the ? key will give you ever possible command you can use. For example if you were to type s? you'd get all the possible command trees starting with s.

The three commands which will give you the most information, are the "show version" , "show interfaces" and "sh ip protocols" commands. The first will give you a general, although verbose, description of the router. The second will show you every interface on the router, those that are up and those that are down, along with IP information. The third option will give you information regarding the router protocol in use such as the protocol and the networks advertised.

Below i'll include output for each command and explain where the important information lies. Comments will be preceded by two hashes and captures from commands will be enclosed in double asterisks.

router_one uptime is 58 minutes
System returned to ROM by power-on
System image file is "flash:c2600-ik9o3s3-mz.123-3a.bin"
##this is the version of the IOS running

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

Configuration register is 0x2102
##this "configuration register" configures the boot up procedure, more on this below.

**end Output from Show Version**
The show version command gives the most information of all the show commands. The configuration register affects how the system starts up, such as what it boots to and from where, the baud rate, and whether it'll accept interrupts (ctrl+break). 0x2102 configuration register is for normal operation, where it doesn't accept break key combinations at bootup, it boots from flash or the bootrom if that fails, and it has a baud rate of 9600. Alternatively, if you reset the router to configuration register 0x2142 it ignores NVRAM allowing you to bypass the passwords in place for configuration/password recovery, but requires a reboot of the router, and very possibly a physical connection as it'll reboot into an unconfigured router.

As you can see, the show ip interface brief is much more helpful, as it gives us the exact information we need in nice columns. The physical portion of each
interface is just if you have the two interfaces connected using the right cables, a correct electrical connection. The line protocol portion of the
interface is the lower Layer 2, meaning that it involves frame encoding, clock rate, etc.

**output from show ip protocols**

router_one>sh ip protocols
Routing Protocol is "rip"
##this is the routing protocol being used, Routing Information program
Sending updates every 30 seconds, next due in 15 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
Serial0/0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.0.0
##this is a list of all advertised networks, some
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
##The distance is a measure of how likely the router will use a certain gateway

**end all output captures**

There are a number of other commands that can give you information as far as directly connected routers, i.e. the show cdp neighbors command, which will identify nearby router/cisco devices with CDP (Cisco Discovery Protocol) running, which runs independent of Layer 3 connectivity (without an IP address) since it's a layer 2 protocol. CDP works will All cisco IOS enabled devices: PIX firewalls, routers, switches, etc.

Also a nice tidbit of information is the use of the show priviledge command which tells you the level of security you're in, all the above information can be gleamed in the first security level output will look as follows:

router_one>show privilege
Current privilege level is 1

There are fifteen security levels, and although all of them can be assigned usernames and passwords, usu only two are used, 1 and 15. In closing it's always crap to get into a system and not be able to discern it from an Avaya or Cisco, or even worse, a Layer 3 switch from a router.

This is not allowed by default, hence 99.9% of the time you won't ever be able to telnet/ssh to a router/switch etc that has no telenet password set.

Yes, but there are a lot of defaults, and by doing an OS detection and all that, couldn't you find the router, then search online for defaults? (yes, im asking this as a question, cause im new to this, but am reading a book on it without messing around too much, so the info is like all lose in my head )

Not with the corporate routers that the OP is using as the subject of the tutorial - they don't ship with a default password set, they ship with no telnet/SSH password set, but will not allow anyone to access them by these means until a password is in place.
It is possible to use a blank password but the router still needs to be configured to accept connections with no password set - configuring this is almost the same process as configuring a password, which is why you very very rarely find a corporate grade Cisco router with a blank RA password.

I remember a while back, i read an article about routers, when under a heavy load, or DOS, would maintain functionality at all costs, but would drop security. I don't think it was for Cisco routers specifically, but routers in General; any ideas about that Nokia as i've had little experience with cisco routers in an actual production environment.

You may be thinking about switches; one of the earliest attacks against a switched network was to flood the switch with ARP responses, this would overwrite its MAC table and at the same time the clients would obviously be sending 'real' ARP responses, eventually the switch would be flooded to such an extent that it would turn into a hub and hence lose all the security a switch brings to a network.

This was easily patched by vendors and is not very common anymore - attackers have to use targeted ARP poisoning to circumvent a switch in most modern-ish networks.

I have never heard of a router being flooded and losing some of its security functionality, if anything a router would start dropping packets before it lets unsolicited ones through. At least to my knowledge anyway.

You may be thinking about switches; one of the earliest attacks against a switched network was to flood the switch with ARP responses, this would overwrite its MAC table and at the same time the clients would obviously be sending 'real' ARP responses, eventually the switch would be flooded to such an extent that it would turn into a hub and hence lose all the security a switch brings to a network.

This was easily patched by vendors and is not very common anymore - attackers have to use targeted ARP poisoning to circumvent a switch in most modern-ish networks.

I have never heard of a router being flooded and losing some of its security functionality, if anything a router would start dropping packets before it lets unsolicited ones through. At least to my knowledge anyway.

I've seen cases where under either high system load or under reduced free memory (ie, buggy release + memory leaks + extended up-time), things like ACL's will no longer be processed, various commands will fail (like sh run); however, the router will still pass traffic...Its been fairly rare, but I have seen it happen...

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.